CVE-2026-35412Incorrect Authorization in Directus

CWE-863Incorrect Authorization696 documents4 sources
Severity
7.1HIGHNVD
EPSS
0.0%
top 90.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Directus
Timeline
Latest updateApr 4
PublishedApr 6

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the user has some permission on directus_files, but never validates item-level access to the specific file being replaced. As a result, row-level permissi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:LExploitability: 2.8 | Impact: 4.2

Affected Packages2 packages

CVEListV5directus/directus< 11.16.1
npmdirectus/directus< 11.16.1

🔴Vulnerability Details

2
OSV
Directus: TUS Upload Authorization Bypass Allows Arbitrary File Overwrite2026-04-04
GHSA
Directus: TUS Upload Authorization Bypass Allows Arbitrary File Overwrite2026-04-04

🕵️Threat Intelligence

693
Wiz
GHSA-w3hv-x4fp-6h6j Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-34373 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-34076 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-2739 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-1527 Impact, Exploitability, and Mitigation Steps | Wiz